IPSec design for OSPFv3?
Eugene M. Zheganin
emz at norma.perm.ru
Mon Sep 9 19:17:24 CEST 2013
Hi.
On 06.09.2013 22:47, Thomas Johnson wrote:
> I'm looking around, and not seeing anything online regarding how to
> protect BIRD OSPFv3 with IPSec (at least on FreeBSD). I am able to
> configure IPSec transport mode to protect unicast traffic between
> routers; but multicast traffic is still transmitted without AH.
>
> A number of sources seem to be setting up a GRE/IPSec tunnel between
> routers, and running OSPF on that interface, facilitating multicast
> traffic. That seems counter to performance though, wouldn't data
> traffic then [needlessly] use the tunnel? Another thought I had was to
> configure all OSPF interfaces as NBMA, making OSPF traffic easier to
> protect.
>
If you are running ospf inside your own network then there is probably
no need to encrypt it with ipsec. If you are running ospf in a WAN
environment, you probaby run it inside gre/gif tunnels (which you use
for some sort of VPNs), then their traffic should be encrypted too.
I definitely cannot imagine an environment with IPSEC encrypting ospf,
but without any sort of VPN and any other VPNed traffic. Cisco/Juniper
equipment also can run an ipsec tunnel in a form of an interface capable
running dynamic routing protocols (for same purpose as the gre/gif in
FreeBSD). Linux is capable of this too, as I heard. FreeBSD cannot do
this; so far noone seems to be interested in implementing this.
Eugene.
More information about the Bird-users
mailing list